; Building Secure Web Services with BEA WebLogic Workshop
Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out
Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

Building Secure Web Services with BEA WebLogic Workshop

VIEWS: 30 PAGES: 46

Bea WebLogic is the American company produced exactly one application server is a middleware architecture based on Javaee, BEA WebLogic is used to develop, integrate, deploy and manage large-scale distributed Web applications, network applications and database applications, Java application server. The dynamic capabilities of Java and the Java Enterprise standard security to introduce large-scale Web application development, integration, deployment and management.

More Info
  • pg 1
									            THE 8TH ANNUAL BEA TECHNOLOGY CONFERENCE




Building Secure Web Services
with BEA WebLogic Workshop
David Remy
Director, Product Design
Bea Systems, Inc.
       THE 8TH ANNUAL BEA TECHNOLOGY CONFERENCE




Disclaimer
This information represents work in progress
This information is NOT a commitment by BEA
This information is subject to change
Learning Objectives


• As a result of this presentation, you will
  be able to:
   • Understand how Weblogic Server security
     relates to Weblogic Workshop security
   • Develop a Weblogic Workshop web services
     security strategy using transport security,
     message security, and/or role based security
   • Understand the new Weblogic Workshop 8.1
     WS-Security implementation




                                                    3
Speaker’s Qualifications


• David Remy is a Director of Product Design for
  Weblogic Workshop at BEA Systems, Inc. focused on
  Weblogic Workshop security, web services, and xml
  technologies.
• 16 years of industry experience prior to joining BEA
  including most recently as a co-founder of the security
  firm GeoTrust, Inc.
• Certified as a Computer Information Systems Security
  Professional (CISSP) as well as having a Sun
  Certified Java Programmer certification.
• Currently co-authoring the book “Understanding Web
  Services Security” (June 2003) for Addison Wesley.




                                                            4
Presentation Agenda


• Security from the top
• Weblogic Server Security
• Weblogic Workshop Security
   • Transport Level Security
   • Message Level Security
   • Role Based Security
• Summary
• Q&A



                                5
Security from the top

                         Protecting information assets
Confidentiality          from internal and external
                         compromise in a cost effective
Integrity                manner.
Availability             Cost effective = risk analysis
                         • What to protect
                         • How much $$ can be lost
     Non-Repudiation
     Authentication
                         • How much $$ to spend
     Authorization       protecting
     Identity proofing
     Etc.

                         Security Policy


                                                          6
Security Strategy & Mechanisms

           Confidentiality * Integrity * Availability
                             Mechanisms
•   Cryptography
•   Authentication techniques
•   Access control
•   Monitoring & auditing
•   Intrusion Detection
                                      Apply             Web Services
•   Vulnerability Analysis
•   Separation of duties
•   Load Balancing
•   Firewalls
•   Etc., Etc. Etc.




                                                                       7
The Web Services Security
Landscape

                                                Internal
                                               Security
                                            Infrastructure
                           Web security   (User Lists, etc.)
                            techniques

 Suppliers                                                                Back End
 Vendors                             Container
                                                                Web       Systems
                                                               Services
         External Facing           Web
                                  Services               J2EE
                                                        Security            Internal Facing
Customers                                                                        (EAI)
 Customers
                                                            Web
                           XML Security
                            Standards      Back End        Services

                                           Systems

                                                                                          8
Security Roles


• Administrator • Sets security policy
                   • Manages users, groups, and
                   roles
• Test/QA           • Validates that security policy is
                    adhered to
                        • registration, revocation, pwd
                        resets, etc.
                     • Develops to security policy
• Developer        • Manages keys and passwords
                     • Works primarily with Roles




                                                          9
     Weblogic Server and Weblogic
     Workshop – Partners in Security



                   Weblogic                      Weblogic
                    Server                       Workshop
                   Security                      Security
  Credentials   User/Group   Policy   Role



                                             Workshop developers work
Administrators typically                     primarily at the role level
control Weblogic Server
security … however …                         Developers need to be
                                             familiar with Weblogic
                                             Security Framework to dev
                                             and test secure web
                                             applications/services …
                                                                           10
   Weblogic Server and Weblogic
   Workshop – Partners in Security

              Security Framework
              • Authentication
 Weblogic
              • Key Management
 Security
              • Authorization
Framework
              • Role Mapping
              • Etc.



              Console
Weblogic      • Policy Management
Console       • User Management




                                     11
    Workshop Web Services Security
    Overview

Three major security mechanisms:

Transport security (http)
   • One Way SSL
                                    Role Based Security (application)
   • Basic Auth (Username Password)
                                    • roles-required
   • Two Way SSL
                                    • roles-referenced
                                    • run-as
Message Based Security
   • Tokens
   (Authentication/Authorization)
   • XML Encryption
   • XML Signature

                                                                    12
   Weblogic Server/Workshop Security
   Runtime

            Weblogic Server                              Weblogic Workshop Runtime
              Transport                      Message                      Role Based
               Security                       Based                        Security
                                           (WS-Security)
                   SSL
                  SSL                                                    roles-allowed
                                                   Token

Internet        Basic Auth
              Basic Auth                                               roles-referenced
 Internet                                      Signature
                 (portal)

              Client Cert                                                   run-as
                                              Encryption
                   Client
                   Cert
                 Au




                               Pr



                                           Au




                                                          Pr
                                 inc
                    th




                                                            inc
                                              th
                    Re




                                    ipa



                                              Re




                                                               ipa
                      qu




                                                qu
                                       l




                                                                  l
                         es




                                                   es
                           t




                                                     t




                                WLS Security Framework


                                                                                          13
           THE 8TH ANNUAL BEA TECHNOLOGY CONFERENCE




Transport Based Security




                                                      14
  Transport Security 1 (http)

What is it?
SSL/TLS
• Encryption
• Authentication of server (sort of)
Basic Auth
• Username Password
• By default in the clear, unless combined with SSL

Client Auth (Two way SSL) (Mutual Auth)
• Combines with one way SSL (above)
• Client must provide X509 Certificate from trusted authority



                                                                15
    Transport Security
    Advantages and Disadvantages


Advantages:                 Disadvantages:
• Mature – tried and true   • Point to point. Information
                              in the clear after endpoint.
• Supported by most clients
  and all web containers    • Intermediaries (firewalls)
                              cannot read content
• Understood by most
  administrators




                                                             16
  Transport Security in Weblogic
  Workshop - Inbound



                  Weblogic Server Web Container             Callbacks
Callers to
your web                                                    from other
                             Workshop                          web
 Service
                                                              service



      • Container handles handshake, credentials gathering,
      encryption, based on web.xml
      • All inbound to your web service treated the same – caller or
      callback

                                                                         17
     Transport Security in Weblogic
     Workshop - Inbound
  Modify web.xml:

<web-app>
 <web-app>
<web-app>
   . .. .. .
   . . .
   <security-constraint>
     <security-constraint>
   <security-constraint>                             wlw—config.xml
      <web-resource-collection>
        <web-resource-collection>
      <web-resource-collection>                      <config>    Basic Auth
         <web-resource-name>myjws</web-resource-name> <protocol>http</protocol>
           <web-resource-name>myjws</web-resource-name>
         <web-resource-name>myjws</web-resource-name>
         <description>MyJws</description>
           <description>MyJws</description>             <hostname>localhost</hostname>
         <description>MyJws</description>
         <url-pattern>/my.jws</url-pattern>
           <url-pattern>/my.jws</url-pattern>           <http-port>7001</http-port>
         <url-pattern>/my.jws</url-pattern>             <https-port>7002</https-port>
         <http-method>POST</http-method>
           <http-method>POST</http-method>
         <http-method>POST</http-method>                <jws>
      </web-resource-collection>
        </web-resource-collection>
      </web-resource-collection>                           <class-name>MyJWS</class-name>
      <login-config>
        <login-config>
      <login-config>                                       <protocol>https</protocol>
          <auth-method>CLIENT</auth-method>
             <auth-method>BASIC</auth-method>           </jws>
           <auth-method>BASIC</auth-method>
      </login-config>
        </login-config>
      </login-config>
      <user-data-constraint>
        <user-data-constraint>
      <user-data-constraint>
                                                         …
                                                     </config> Client Auth
          <description>SSL required</description>
             <description>SSL required</description>
           <description>SSL required</description>
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
             <transport-guarantee>CONFIDENTIAL</transport-guarantee>
           <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
        </user-data-constraint>                                             2
      </user-data-constraint>
   </security-constraint>
     </security-constraint>
   </security-constraint>
   . .. .. .
   . . .
</web-app>
 </web-app>                                                1
                                                                     SSL
</web-app>



                                                                                        18
     Transport Security in Weblogic
     Workshop - Outbound


 Callbacks                                                      Calling
 from your           Weblogic Server Web Container              another
    web                                                          web
   service                       Workshop                       service

Basic Auth                                        Basic Auth
callback.setUserName()                            serviceControl.setUserName()
callback.setPassword()                            serviceControl.setPassword()

Client Cert                            Client Cert
callback.setClientKeySSL()             serviceControl.setClientKeySSL
callback.setClientKeyAlias()           serviceControl.setClientKeyAlias()
callback.setClientKeyPassword()        serviceControl.setClientKeyPassword()
(optional)                             (optional)
callback.setClientKeystoreLocation()   serviceConrol.setClientKeystoreLocation()
callback.setClientKeystorePassword()   serviceControl.setClientKeystorePassword()




                                                                             19
Transport Security in Weblogic
Workshop - Summary


• Solid, strong enterprise security
• Most likely to be interoperable with other
  parties
• Less granular than message level security
   • Can’t differentiate callbacks
   • Can’t differentiate request/response
• Point to point means that message itself is
  not secure …


                                                20
           THE 8TH ANNUAL BEA TECHNOLOGY CONFERENCE




Message Based Security




                                                      21
 Message Level Security in Workshop



              WS-Security implementation
Advantages                    Disadvantages
• Allows the message to be    • Immature, still in Oasis
self protecting               Technical committee
• Portions of message can     • Complex, encompassing
be secured to different       many other standards
parties                       including XML Signature,
• More granular (callbacks,   XML Encryption, and more
request/response)



                                                           22
WS-Security


History and status             Highlights
• Submitted as a note by       • New soap security header
Microsoft, IBM, and Verisign
                               • Defines no new security
to the W3C (April 2002)
                               mechanisms, refers to other
• Oasis Security TC (July      such as XML Signature, XML
2002)                          Encryption, and SAML
• Still in committee           • Specifies some best
                               practices where applicable
                               • Extremely flexible, able to
                               support new security
                               requirements going forward



                                                               23
WS-Security
What is it?



              • XML Signature
              •Typically for authentication or authorization
                • XML Encryption
                     be signed or unsigned
              • Can sign any portion of message
                • Can encrypt any portion of message
                Can have multiple signatures
              • Token Types
                • Can have multiple encryptions for different
                   • UserName
              • Sign with private key
                recipients
                   • BinaryToken
                • Symmetric encryption (very fast, large data, but
                         • X509Token
                key management issues)
                         • KerberosToken
                • Asymmetric encryption (slow, small data, better
                      XML Token
                key•management) to wrap symmetric keys.
                Encrypt • SAML key.
                         with public
                         • XACML




                                                                     24
    WS-Security Example Message

 Security Header
<wsse:Security
xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext">

 UserName Token
<wsse:UsernameToken Id="MyID">
      <wsse:Username>frank</wsse:Username>
      <wsse:Password>password</wsse:Password>
</wsse:UsernameToken>

 BinarySecurityToken
<wsse:BinarySecurityToken
   ValueType="wsse:X509v3“
   Id="X509Token“
   EncodingType="wsse:Base64Binary">
   MIIEZzCCA9CgAwIBAgIQEmtJZc0rqrKh5i...
</wsse:BinarySecurityToken>



                                                             25
WS-Security Example Message
XML Encryption

                        <xenc:EncryptedKey>                            Reference to
EncryptedKey               <xenc:EncryptionMethod
                                 Algorithm="http://www.w3.org/200      X509 Certificate
                        1/04/xmlenc#rsa-1_5"/>                         (contains public
                           <ds:KeyInfo>                                key)
                              <ds:KeyName>
                                    CN=Hiroshi Maruyama, C=JP
• EncryptedKey                </ds:KeyName>
wraps the                  </ds:KeyInfo>
                           <xenc:CipherData>
symmetric key.             <xenc:CipherValue>
• Common usage                  d2FpbmdvbGRfE0lm4byV0...
                           </xenc:CipherValue>
for web services.          </xenc:CipherData>
                           <xenc:ReferenceList>
                              <xenc:DataReference URI="#body"/>
                           </xenc:ReferenceList>
                        </xenc:EncryptedKey>

                    <S:Body>
                       <xenc:EncryptedData
                          Type="http://www.w3.org/2001/04/xmlenc#Element" Id=“body">
                          <xenc:EncryptionMethod
                              Algorithm="http://www.w3.org/2001/04/xmlenc#3des-cbc"/>
                          <xenc:CipherData>
                              <xenc:CipherValue>d2FpbmdvbGRfE0lm4byV0...
                              </xenc:CipherValue>
                          </xenc:CipherData>
                       </xenc:EncryptedData>
                    </S:Body>
                                                                                      26
   WS-Security Example Message
   XML Signature
                                             Reference to
<ds:Signature>
   <ds:SignedInfo>                           what is signed
      <ds:CanonicalizationMethod
         Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <ds:SignatureMethod
         Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
     <ds:Reference uri=“body">
         <ds:DigestMethod
           Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
         <ds:DigestValue>LyLsF094hPi4wPU...</ds:DigestValue>
      </ds:Reference>
   </ds:SignedInfo>
   <ds:SignatureValue>
      Hp1ZkmFZ/2kQLXDJbchm5gK...
   </ds:SignatureValue>
                                                The signature
   <ds:KeyInfo>
      <wsse:SecurityTokenReference>
                                                itself
      <wsse:Reference URI="#X509Token"/>
      </wsse:SecurityTokenReference>
   </ds:KeyInfo>
</ds:Signature>
                                              Reference back to
                                              BinarySecurityToken

                                                                    27
WS-Security in Workshop

Take a simplified, most applicable, path through WS-
  Security
Tokens
   • UserNameToken
   • BinarySecurityToken - X509Token*           Use
                                                   rNa
                                                      me
                                                        Tok
                                                           en
XML Encryption                      XML Encryption
                                                                Mix and match
   • Body                                          atur
                                                       e
                                               Sign
   • Conversation Header                XM   L




XML Signature
   • Body
   • Conversation Header


                                                                                28
   WS-Security Annotations

                              Two new annotations
@jws:ws-security-policy-service file=“mySecurityPolicy.xml”
@jws:ws-security-policy-callback
                       file=“myCallbackSecurityPolicy.xml”
           <?xml version="1.0" encoding="UTF-8"?>
           <wsSecurityPolicy xmlns="http://www.bea.com/2003/03/wsse/config"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xsi:schemaLocation="http://www.bea.com/2003/03/wsse/config
           D:\dev\knex\src\com\bea\wlw\runtime\jws\wssecurity\config\WSSecurity-policy.xsd">
             <wsSecurityIn>
               <token tokenType="username"/>
               <encryptionRequired>
                 <decryptionKey>
                   <alias>myPublicKey</alias>
                   <password>myPassword</password>
                 </decryptionKey>
               </encryptionRequired>
               <signatureRequired>true</signatureRequired>
             </wsSecurityIn>
             <wsSecurityOut>
               <userNameToken>
                 <userName>testUser</userName>
                 <password type="TEXT">testPassword</password>
               </userNameToken>
               <encryption>
                 <encryptionKey>
                   <alias>myPublicKey</alias>
                 </encryptionKey>
               </encryption>
               <signatureKey>
                 <alias>myPrivateKey</alias>
                 <password>myPrivateKeyPassword</password>
               </signatureKey>
             </wsSecurityOut>
             <keyStore>
               <keyStoreLocation>/myKeyStore.jks</keyStoreLocation>
               <keyStorePassword>myKeyStorePassword</keyStorePassword>
             </keyStore>
           </wsSecurityPolicy>




                                                                                               29
Understanding
@jws:ws-security-policy-service in a jws

                                   myWebService.jws

                         @jws:ws-security-policy-service
                            ws-security-policy-in
                            • token required?
               Inbound      • encryption required?
               message           • where to find keypair?
     Web
    Service
                            • signature required?
     Client

                            ws-security-policy-out
              Response      • insert token (username/password, etc)?
              message       • encryption message?
                                 • using what public key?
                            • sign message?
                                 • using what private key?


                                                                       30
Understanding
@jws:ws-security-policy-service in a jbc
                             otherWebService. jcx

                   @jws:ws-security-policy-service
                    ws-security-policy-out
                    • insert token (username/password, etc)?
                    • encryption message?                      Outbound
                         • using what public key?              message
                    • sign message?                                         Other
myWebService.jws         • using what private key?                        Web Service


                    ws-security-policy-in
                    • token required?                          Response
                    • encryption required?                     message
                         • where to find keypair?
                    • signature required?



                                                                                  31
ws-security-policy file example
    <wsSecurityPolicy xmlns="http://www.bea.com/2003/03/wsse/config">
      <wsSecurityIn>
        <token tokenType="username"/>
        <encryptionRequired>
                                            Specify inbound policy
          <decryptionKey>
            <alias>myPublicKey</alias>
            <password>myPassword</password>
          </decryptionKey>
        </encryptionRequired>
        <signatureRequired>true</signatureRequired>
      </wsSecurityIn>
      <wsSecurityOut>                                Specify outbound policy
        <userNameToken>
          <userName>testUser</userName>
          <password type="TEXT">testPassword</password>
        </userNameToken>
        <encryption>
          <encryptionKey>
            <alias>myPublicKey</alias>
          </encryptionKey>
        </encryption>
        <signatureKey>
          <alias>myPrivateKey</alias>
          <password>myPrivateKeyPassword</password>
        </signatureKey>
                                                              Optionally specify
      </wsSecurityOut>
      <keyStore>
                                                              keystore
        <keyStoreLocation>/myKeyStore.jks</keyStoreLocation>
        <keyStorePassword>myKeyStorePassword</keyStorePassword>
      </keyStore>
    </wsSecurityPolicy>

                                                                               32
Message Level Security (WS-Security)
Wrap-up


• Class level annotations, not operation level
• WSDL ws-security info
• Remember request and response are each
  soap messages
• SSL with username token
• Familiarity with PKI a must …




                                                 33
           THE 8TH ANNUAL BEA TECHNOLOGY CONFERENCE




Role Based Security




                                                      34
Role Based Security


Transport                                                   Your jws
 Based      cre
                de   ntia                       @common:security
                            ls      Security    roles-allowed=“manager employee”
                                    Principal
 and/or                                         roles-referenced=“manager employee”
                                                run-as=“system”
                     als
                 enti                           single-principal=“true”
Message     c red       Weblogic
                        Security
 Based                  Framework
                                                In Code:
                                                context.isCallerInRole(“manager”)




                                                                                 35
      Using roles-allowed

    @wlw:security roles-allowed=”<role-name> […<role-name>]”

                                            Semantically Equivalent to EJB:
• Optional (any role can access if not      <method-permission>
present)                                        <unchecked/>
                                                <method>
                                            Semantically Equivalent to EJB:
                                                  <ejb-name>EmployeeBean</ejb-name>
                                            <assembly-descriptor >
                                                  <method-name>*</method-name>
                                                 <method-permission>
                                                </method>
• Class level (applies to all operations            <role-name>
                                            </method-permission>
                                                        Equivalent
                                           Semantically ADMIN to EJB:
                                           <method-permission>
in the jws)                                         </role-name>
                                               <role-name>
                                                 <method>
                                                 READONLY
                                                    <ejb-name>EmployeeBean</ejb-name>
                                               </role-name>
                                                    <method-name>*</method-name>
                                               <method>
                                                 </method>
• JWS Operation level (union with                <ejb-name>EmployeeBean</ejb-name>
                                                 </method-permission>
                                                 <method-name>getFirstName</method-name>
class level roles-allowed)                    </assembly-descriptor>
                                               </method>
                                               <method>
                                                 <ejb-name>EmployeeBean</ejb-name>
                                                 <method-name>getLastName</method-name>
                                               </method>
                                           </method-permission>
                                                                                      36
     Using roles-referenced and
     isCallerInRole()
@wlw:security roles-referenced=”<role-name> […<role-name>]”

The list of roles that have been
  referenced in your code.                 Semantically equivalent to EJB:
                                           ...
                                              <enterprise-beans>
                                                  ...
                                                 <session>
                                                     <ejb-nameOp</ejb-name>
                                                     <ejb-class>sb.OpBean</ejb-class>
                                                     ...
Programmatic access to security info:                <security-role-ref>
                                                        <role-name>role1</role-name>
 context.isCallerInRole(“role-name”)                 </security-role-ref>
 context.getCallingPrincipal().getName()             ...
                                                 </session>
                                                  ...
 Objective:                                   </enterprise-beans>
 Independence of code from target             ...
    environment role names


                                                                                        37
       Using run-as

@wlw:security run-as=”<role-name> […<role-name>]”


       The identity that a jws will run-as when it makes calls


                                               Principal
                    My.jws                     System
                                    Database               Database
  Principal
frank jones
              @common:security
                  run-as=“System”
                                     Control
                                               Principal
                                     EJB       System
                                                             EJB
                                    Control                 Control




                                                                      38
    Conversations and security annotations
    single-principal
@wlw:security single-principal=”true” | “false”


                        Principal
                                             My.jws
                          Jane
                      conversation start

                        Principal
                          Sally
                     conversation continue    Deny




                                                      39
 Conversations and security annotations
 run-as=“<start-user>”
Without run-as=“<start-user>”

              Principal
                                   My.jws
                Jane
            conversation start                  Database
                                            Jane           Jane
                                                                   Database
                                                 Control
              Principal
                Sally
                                                  EJB                EJB
           conversation continue
                                            SallyControl            Control
                                                           Sally




                                                                              40
Conversations and security annotations
run-as=“<start-user>”

With run-as=“<start-user>”
              Principal
                                   My.jws
                Jane
            conversation start                  Database
                                            Jane           Jane
                                                                  Database
                                                 Control
              Principal
                Sally
                                                 EJB                EJB
           conversation continue
                                            JaneControl            Control
                                                           Jane




                                                                             41
Role Base Security Summary


• Role security -> @common:security annotation
• There are 4 role annotations:
   •   roles-allowed
   •   roles-referenced
   •   run-as
   •   single-principal
• You can also use context.isCallerInRole(“role”)
  within your code – but remember to add to
  roles-referenced


                                                    42
Workshop Security Summary

•   Weblogic Server Security Framework takes care of most of the
    work to accept credentials and bind principal
•   Three major workshop security mechanisms:
     • Transport Security
     • Message Level Security (WS-Security)
     • Role Based Security
•   Transport security is mature and viable for many, if not most
    situations
•   WS-Security is less mature but very flexible and powerful
•   As a developer you must be aware of Transport and Message
    based security – but focus within your jws itself will be on roles
Best of luck!




                                                                         43
       THE 8TH ANNUAL BEA TECHNOLOGY CONFERENCE




Disclaimer
This information represents work in progress
This information is NOT a commitment by BEA
This information is subject to change
  THE 8TH ANNUAL BEA TECHNOLOGY CONFERENCE




Q&A
   THE 8TH ANNUAL BEA TECHNOLOGY CONFERENCE




Thank you!

								
To top